CVE-2024-32002

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-32002
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-32002.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-32002
Aliases
Downstream
Related
Published
2024-05-14T18:40:46.652Z
Modified
2026-04-16T03:48:18.347276Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Git's recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution
Details

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Database specific 
{
    "cwe_ids": [
        "CWE-22",
        "CWE-434"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32002.json"
}
References

Affected packages

Git / github.com/git/git

Affected ranges

Type
GIT
Repo
https://github.com/git/git
Events
Introduced
73876f4861cd3d187a4682290ab75c9dccadbc56
Fixed
b9b439e0e3a543ddb920e4cf8d3c9d53f730111f

Affected versions

v2.*
v2.40.0
v2.40.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-32002.json"